Two ISP -Two Routers - 1 PIX

I have two ISP's. I have two routers (2621) that connect to each ISP both
gave me 30 routable IPs. I'd like to setup some type of redundant
connection. BGP is out of the question. I understand that failover wont
work from outside coming in, but inside going out can be achieved. The PIX
515 I have has 6 interfaces. Should I configure the 2nd ISP on one of the
other interfaces? or get another PIX (506e) and have two default gateways w/
policy mapping on my internal router (3640)? Say if ISPA goes down, we call
our clients and they connect to ISPB.

Advertisements

:I have two ISP's. I have two routers (2621) that connect to each ISP both
:gave me 30 routable IPs. I'd like to setup some type of redundant
:connection. BGP is out of the question. I understand that failover wont
:work from outside coming in, but inside going out can be achieved. The PIX
:515 I have has 6 interfaces. Should I configure the 2nd ISP on one of thether interfaces? or get another PIX (506e) and have two default gateways w/olicy mapping on my internal router (3640)? Say if ISPA goes down, we callur clients and they connect to ISPB.

"Redundant connection" can mean a number of different things.

If you want your inside hosts to be able to get out even if one of the
ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
routers to send the PIX floating static routes, each sending the route
to its own ISP with high priority and the route to the other ISP with
low priority. When an interface goes down, the associated 2621 would
stop sending the OSPF route, and the high priority route to that ISP
would disappear from inside the PIX, leaving only the low priority route
via the other 2621.

(You just might be able to do something similar with RIP; I'm not sure.)

--
Tenser, said the Tensor.
Tenser, said the Tensor.
Tension, apprehension,
And dissension have begun. -- Alfred Bester (tDM)

Advertisements

Thanks for the reply. So you I run a routing protocol between the
routers, but I would plug the 2nd router into a third interface of the PIX?
I just want to understand you correctly.

Regards,

"Walter Roberson" <-cnrc.gc.ca> wrote in message
news:br2rku$faj$...
> In article <>,
> James Parks <> wrote:
>
> :I'm trying to figure out how to deploy this. What would you do?
>
> :I have two ISP's. I have two routers (2621) that connect to each ISP
both
> :gave me 30 routable IPs. I'd like to setup some type of redundant
> :connection. BGP is out of the question. I understand that failover wont
> :work from outside coming in, but inside going out can be achieved. The
PIX
> :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of
the
> ther interfaces? or get another PIX (506e) and have two default gateways
w/
> olicy mapping on my internal router (3640)? Say if ISPA goes down, we
call
> ur clients and they connect to ISPB.
>
> "Redundant connection" can mean a number of different things.
>
> If you want your inside hosts to be able to get out even if one of the
> ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
> routers to send the PIX floating static routes, each sending the route
> to its own ISP with high priority and the route to the other ISP with
> low priority. When an interface goes down, the associated 2621 would
> stop sending the OSPF route, and the high priority route to that ISP
> would disappear from inside the PIX, leaving only the low priority route
> via the other 2621.
>
> (You just might be able to do something similar with RIP; I'm not sure.)
>
> --
> Tenser, said the Tensor.
> Tenser, said the Tensor.
> Tension, apprehension,
> And dissension have begun. -- Alfred Bester (tDM)

Hmm, I think you have the gist of it but he's going to need more. First,
you don't "send" floating static
routes, but you can change the metric of redistributed static routes via
OSPF thereby influencing the preferred route. Second, what is there to
send to the PIX besides a default in this case? I don't follow your
statement "each sending the route to its own ISP with high priority and the
route to the other ISP with low priority.". What "route" to its own ISP,
default? Doesn't make sense, but it doesn't matter.

If all you are looking for is ISP2 to backup ISP1, yes you should use a
dynamic protocol, peferrably OSPF in 6.3. You can use two interfaces on the
PIX if you like. For example ISP1 on the outside interface and ISP2 on
another interface you could name "outside2", with security0 (yes, you can).
I strongly recommend making "outside2" security0 as two interfaces with the
same security level cannot communicate with each other. This allows for
easy isolation of the two ISPs. The outside IP address would be one of the
30 from ISP1 and the ethernet on ISP1's router would be another. Same with
ISP2. Alternatively you can use one pix interface with VLANs but it's a
little more straightforward to just use two interfaces. Set a default
static on each router pointing to its respective ISP. On the routers,
redestribute this static route into OSPF, use a higher metric on ISP2's
router to make the default less attractive to the PIX. Or, if you don't
care which ISP is primary and which is the backup, just redistribute the
route on both with the defaults and let the PIX choose. If the primary goes
away, you'll have the other one there.

You'll then setup a nat for the inside and a global for outside and
outside2. For example, to PAT on the IP address of the outside and outside2
IP addresses, you would use:

Alternatively, you can skip the NAT on the pix and let each respective
router do it's own NAT when the pix sends it a packet. You can also use
this method in a one interface setup with the PIX. The outside interface of
the pix could be on a segment (pick a subnet of your choice) with the two
routers. Use OSPF the same way. However, this is not nearly as flexible as
the two interface configuration and I don't really recommend this method.

HTH,

Mike

"Walter Roberson" <-cnrc.gc.ca> wrote in message
news:br2rku$faj$...
> In article <>,
> James Parks <> wrote:
>
> :I'm trying to figure out how to deploy this. What would you do?
>
> :I have two ISP's. I have two routers (2621) that connect to each ISP
both
> :gave me 30 routable IPs. I'd like to setup some type of redundant
> :connection. BGP is out of the question. I understand that failover wont
> :work from outside coming in, but inside going out can be achieved. The
PIX
> :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of
the
> ther interfaces? or get another PIX (506e) and have two default gateways
w/
> olicy mapping on my internal router (3640)? Say if ISPA goes down, we
call
> ur clients and they connect to ISPB.
>
> "Redundant connection" can mean a number of different things.
>
> If you want your inside hosts to be able to get out even if one of the
> ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
> routers to send the PIX floating static routes, each sending the route
> to its own ISP with high priority and the route to the other ISP with
> low priority. When an interface goes down, the associated 2621 would
> stop sending the OSPF route, and the high priority route to that ISP
> would disappear from inside the PIX, leaving only the low priority route
> via the other 2621.
>
> (You just might be able to do something similar with RIP; I'm not sure.)
>
> --
> Tenser, said the Tensor.
> Tenser, said the Tensor.
> Tension, apprehension,
> And dissension have begun. -- Alfred Bester (tDM)

> Thanks for the reply. So you I run a routing protocol between the
> routers, but I would plug the 2nd router into a third interface of the PIX?
> I just want to understand you correctly.
>
> Regards,

Just happened to be passing by... I can't address your question but, I
am reading a book that has coverage of your situation ( two ISP's,
single points of failure, failover, redundant firewalls etc. ): High
Availability Networking by Vincent C. Jones. Check out pertinent white
papers, they may assist in your choices
(http://www.networkingunlimited.com/whitepapers.html ). These may
predate the latest updates to the PIX ( OSPF etc. ) but are still
useful.

Wow, very good read, Thank you!! I was worried about how I was going to go
about the natting of the two ISP's in the PIX. ISP1 does have a faster
connection, it's actually (2 T1's that are CEF bonded). ISP2 is a new one
we just installed to get away from the single carrier failure. I never
worked w/ OSPF before so this should be fun.

Regards,
Jim

"Mike Gallagher" <> wrote in message
news:...
> Hmm, I think you have the gist of it but he's going to need more. First,
> you don't "send" floating static
> routes, but you can change the metric of redistributed static routes via
> OSPF thereby influencing the preferred route. Second, what is there to
> send to the PIX besides a default in this case? I don't follow your
> statement "each sending the route to its own ISP with high priority and
the
> route to the other ISP with low priority.". What "route" to its own ISP,
> default? Doesn't make sense, but it doesn't matter.
>
> If all you are looking for is ISP2 to backup ISP1, yes you should use a
> dynamic protocol, peferrably OSPF in 6.3. You can use two interfaces on
the
> PIX if you like. For example ISP1 on the outside interface and ISP2 on
> another interface you could name "outside2", with security0 (yes, you
can).
> I strongly recommend making "outside2" security0 as two interfaces with
the
> same security level cannot communicate with each other. This allows for
> easy isolation of the two ISPs. The outside IP address would be one of
the
> 30 from ISP1 and the ethernet on ISP1's router would be another. Same
with
> ISP2. Alternatively you can use one pix interface with VLANs but it's a
> little more straightforward to just use two interfaces. Set a default
> static on each router pointing to its respective ISP. On the routers,
> redestribute this static route into OSPF, use a higher metric on ISP2's
> router to make the default less attractive to the PIX. Or, if you don't
> care which ISP is primary and which is the backup, just redistribute the
> route on both with the defaults and let the PIX choose. If the primary
goes
> away, you'll have the other one there.
>
> You'll then setup a nat for the inside and a global for outside and
> outside2. For example, to PAT on the IP address of the outside and
outside2
> IP addresses, you would use:
>
> nat (inside) 1 192.168.0.0 255.255.0.0
> global (outside) 1 interface
> global (outside2) 1 interface
>
> This would save the rest of your addresses for other things.
>
> Alternatively, you can skip the NAT on the pix and let each respective
> router do it's own NAT when the pix sends it a packet. You can also use
> this method in a one interface setup with the PIX. The outside interface
of
> the pix could be on a segment (pick a subnet of your choice) with the two
> routers. Use OSPF the same way. However, this is not nearly as flexible
as
> the two interface configuration and I don't really recommend this method.
>
> HTH,
>
> Mike
>
> "Walter Roberson" <-cnrc.gc.ca> wrote in message
> news:br2rku$faj$...
> > In article <>,
> > James Parks <> wrote:
> >
> > :I'm trying to figure out how to deploy this. What would you do?
> >
> > :I have two ISP's. I have two routers (2621) that connect to each ISP
> both
> > :gave me 30 routable IPs. I'd like to setup some type of redundant
> > :connection. BGP is out of the question. I understand that failover
wont
> > :work from outside coming in, but inside going out can be achieved. The
> PIX
> > :515 I have has 6 interfaces. Should I configure the 2nd ISP on one of
> the
> > ther interfaces? or get another PIX (506e) and have two default
gateways
> w/
> > olicy mapping on my internal router (3640)? Say if ISPA goes down, we
> call
> > ur clients and they connect to ISPB.
> >
> > "Redundant connection" can mean a number of different things.
> >
> > If you want your inside hosts to be able to get out even if one of the
> > ISPs goes down, then if you have PIX 6.3 you can set up OSPF on the
> > routers to send the PIX floating static routes, each sending the route
> > to its own ISP with high priority and the route to the other ISP with
> > low priority. When an interface goes down, the associated 2621 would
> > stop sending the OSPF route, and the high priority route to that ISP
> > would disappear from inside the PIX, leaving only the low priority route
> > via the other 2621.
> >
> > (You just might be able to do something similar with RIP; I'm not sure.)
> >
> > --
> > Tenser, said the Tensor.
> > Tenser, said the Tensor.
> > Tension, apprehension,
> > And dissension have begun. -- Alfred Bester (tDM)
>
>

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!